Back to Blog
Fraud Prevention

Geoblocking and Proxy Detection: Stopping Fraud at the Border

April 12, 20267 min read

Your program terms say United States and Canada only. Your payout report says otherwise. A cluster of conversions arrives from a publisher you approved for North American traffic, except the visitors behind them are routing through a data center in another hemisphere, or bouncing off a consumer VPN that paints every session in a clean domestic coat of paint. On paper the traffic is compliant. In reality you are paying for clicks that never came from where they claim, converting leads your advertiser cannot legally or profitably serve.

This is one of the quietest leaks in publisher marketing. Geo-misrepresented and proxy-masked traffic does not trip the obvious alarms. It has real user agents, plausible timing, and a country code that matches your allowlist because the fraudster picked an exit node that matches your allowlist. The only way to catch it is to stop trusting the country the request advertises and start verifying it at the network level. That is exactly what TrackingMD's Guardian engine does on every single click, impression, and conversion before any of them becomes a billable event.

Not all clicks come from where they claim

Every tracked event that hits your links carries an IP address, and an IP address is far harder to fake than a header. Guardian resolves it in real time through MaxMind GeoLite2 databases, the same industry-standard geolocation data that powers fraud teams across the web. Under the hood, the GeoIpService does three lookups against two local databases:

  • Country and coordinates, from the GeoLite2 City database, so we know the claimed origin of the visitor and where on the map that IP actually sits.
  • ASN and network organization, from the GeoLite2 ASN database, so we know which network the traffic is riding on, not just where it geographically resolves.

That country is then stamped onto every click, conversion, and impression record we store. So beyond the fraud checks below, you get honest, verified geography on all of your reporting, filtered by the network the visitor actually used rather than a value a publisher self-declared in a postback.

Because stale geolocation data is worthless data, the databases refresh themselves. A scheduled geoip:update command pulls fresh GeoLite2 City and ASN builds from MaxMind twice a week (the cadence at which MaxMind publishes them) and installs them where the lookup service reads. If a build ever drifts past its freshness window, the admin health card surfaces it as stale rather than letting you run blind on months-old IP mappings. The geography your fraud rules stand on stays current without anyone touching a server.

Proxy and VPN fingerprinting: reading the network, not the label

The single most common way disallowed traffic slips through per-country terms is anonymization. A visitor in a region your advertiser does not serve connects through a commercial VPN or a rented cloud server, and the exit IP now resolves to a permitted country. The country code lies. The network does not.

Guardian's ProxyDetectionRule looks past the resolved country to the network the request actually rode in on, using two signals:

  1. Data-center origin. Genuine consumer traffic comes from residential and mobile ISPs. It does not come from the autonomous systems that run major cloud and hosting providers. The rule carries a curated list of those data-center ASNs, and traffic originating from one earns a fraud score, because a real shopper is not browsing your offer from inside a hosting rack.
  2. Anonymizer network names. The organization attached to an ASN is a strong tell. When that name contains markers like vpn, proxy, tunnel, anonymizer, or tor, the rule flags it. These are the networks whose entire business is masking where a user really is.

When either fires, Guardian raises a Proxy/VPN Traffic alert with the offending ASN and organization attached as evidence, so a reviewer can see precisely why the traffic was distrusted rather than staring at an opaque risk number.

Impossible travel: catching the geography that cannot be real

Anonymized traffic often gives itself away through motion. A device that clicks from one country and then, twenty minutes later, clicks from another country two continents away has not booked a very fast flight. It is the same operation cycling exit nodes, or a single fraud farm laundering clicks through rotating proxies.

Guardian's GeoVelocityRule catches this as impossible travel. Keyed on the device fingerprint, it remembers the last location a device was seen at for a 24-hour window. When that device reappears in a different country, the rule computes the great-circle distance between the two points and divides by the elapsed time. If the implied speed exceeds roughly 1,000 km/h, faster than commercial air travel, it raises a Geographic Anomaly alert. The evidence it records is human-readable on purpose: the implied speed, the distance covered, the time between the two sightings, and both countries. A reviewer sees the story, not just a score.

This is the check that turns raw geography into behavior. A single proxied click can hide. A device teleporting between continents cannot.

Signals combine into a verdict, then Guardian blocks in silence

None of these rules acts as a lone hair-trigger. Each contributes a weighted score into a single risk assessment on a 0-to-100 scale, alongside the rest of Guardian's rule set (bot detection, velocity, duplicate traffic, and more). That combined score maps to an action:

Risk scoreActionWhat happens
0–25AllowTracked normally
26–50MonitorTracked, but recorded for review
51–75FlagAlerted for investigation
Above 75BlockRejected as fraud

Each org tunes this to its own risk appetite. Rules can be individually enabled, disabled, or reweighted, so a program that lives or dies on clean geo-compliance can turn up the proxy and geo-velocity signals without touching the rest.

Here is the part that matters most. When traffic crosses the block threshold, Guardian does not slam a door the fraudster can see. Its default block action is a silent redirect: the blocked visitor is still forwarded to the advertiser's destination exactly as they would be normally, but no tracking cookie is set and no billable click is attributed. The event is recorded on your side as blocked, with its full risk breakdown, so you keep the intelligence. The fraudster sees an ordinary redirect and a page that loads. They get no error, no challenge, no signal that they were caught, and therefore nothing to adapt against. A fraud operation that never learns which of its exit nodes are burned keeps burning them.

That is a deliberate choice over the alternative of returning a hard rejection. Loud blocking teaches your adversary. Silent blocking starves them.

The border you didn't know you had

The honest framing is this: geolocation is not a wall you build once and forget. It is a diagnosis you run on every visitor, continuously, against data that refreshes itself twice a week. TrackingMD verifies the country of every click against the network it truly came from, distrusts the hosting racks and anonymizer networks that real customers never use, and treats a device that appears to outrun a jet as exactly the anomaly it is, all while keeping imported target-country data on your programs ready for deeper runtime geo-enforcement as it rolls out.

The traffic that misrepresents its origin is betting you will trust the label on the envelope. Check the postmark instead, on every event, before it turns into a conversion you have to pay for, and the border stops being a place fraud walks across. It becomes the place fraud quietly stops.

See it in your own program

Start your free 7-day trial and put these ideas to work — no credit card required.

Start free trial

We use essential cookies to run the platform. With your consent, we also collect privacy-friendly, first-party usage analytics — no third-party trackers and no cross-site tracking cookies. Choose “Essential Only” to opt out of analytics. Privacy Policy